The practice of blurring out text using a method called pixelation may not be as secure as previously thought.
While the most foolproof way of concealing sensitive textual information is to use opaque black bars, other redaction methods like pixelation can achieve the opposite effect, enabling the reversal of pixelized text back into its original form.
Dan Petro, a lead researcher at offensive security firm Bishop Fox, has demonstrated a new open-source tool called Unredacter to reconstruct text from the pixelated images, effectively leaking the very information that was meant to be protected.
The tool is also seen as an improvement over an existing utility named Depix, which works by looking up what permutations of pixels could have resulted in certain pixelated blocks to recover the text.
The threat model is based on the assumption that, given text with redacted or un-redacted information and a portion of clear text, an attacker will use the information from the text about font size and type to determine the hidden information.
This is far from the first time similar methods have been proposed to get back redacted information from pixelated content. In January 2022, researchers from Positive Security detailed a method to reverse pixelation in videos.
“Journalists and content creators should consider the extra risks involved in redacting video information. Use a sufficient mosaic size/blur radius or if possible, an opaque single-colored box,” Fabian Braunlein, researcher, said.
Petro concurs. “The bottom line is that when you need to redact text, use black bars covering the whole text. Never use anything else. No pixelation, no blurring, no fuzzing, no swirling. “
“The last thing you need after making a great technical document is to accidentally leak sensitive information because of an insecure redaction technique,” Petro added.